 Hi this is Laura Chappell and welcome to this video on Deep Space Networking Traffic Analysis. In this video I'm going to show you how I open up a trace file inside of Wireshark and begin the process of customizing Wireshark for Deep Space Networking Traffic Analysis and we'll go through and learn about the bundle protocol and we'll learn about the TCP convergence layer. So let's go over to Wireshark and get started. In Wireshark I've opened up the trace file depicting the Deep Space Networking Traffic. Now we're talking about delay and disruption tolerant networking here or DTN we simply refer to it as and in this scenario we have a host that is sending a bundle of data in bundle segments to another host to be relayed to a third host. So let's see what we have in this trace file. First of all we have some traffic that doesn't have anything to do with our DTN communications. It's this OSPF traffic. So I'm going to get that out of the way. Now what we're left with are some interesting packets here. First of all these top packets that you see they're UDP packets they're kind of sprinkled throughout the trace file. If you were to select one of those packets and look down in the packet bytes window what you would see is in the data portion it appears that we have a host that is announcing its DTN endpoint ID. So 10.0.0.1 is announcing that its endpoint ID is N1 kind of like its name. On the second packet there we have 10.0.0.2 announcing its endpoint ID as N2 and the next packet 10.0.0.3 announcing its endpoint ID as N3. All right that information right there is very interesting but it's not a data transfer process that is just an announcement. What we're interested in are the TCP CL packets. So frame number seven there is the first time we see a TCP convergence layer packet and this is just a keep alive. By looking at these keep lives we can get a general idea of which hosts can see which hosts. So in frame number seven we have 10.0.0.3 sending a keep alive to .4. In the next packet we have .1 sending a keep alive to 3. In packet 9 we have 3 sending a keep alive to 1 and then in a little bit further on we see in packet 19 we have .2 sending keep alive to 4. All right we can build a picture from this. This is what we know so far. It appears that we have four hosts and based on the keep alive we can see which hosts are talking to which hosts. So we can see based on the keep alive that .1 can see .02, .2 can see 4, 4 can see 3, 3 can see 1 but we don't see any keep lives going between .1 and .4. We don't see any keep lives between .2 and .3. So perhaps we have something in the way between those two hosts. It could be something like a planet. So here I have a picture one of the various pictures of Venus with a color filter on it. Now let's go back to the trace file. So let's take a look at when data actually begins to be sent here. We see an awful lot of those endpoint ID announcements and we see a bunch of keep alive and we see some acknowledgments for those keep alive. When we get down to frame number 57 that's the first time we see a larger length frame that probably has some data in it. So let's create a profile in Wireshark and we'll begin the customization process to help us analyze deep space networking traffic. So in the bottom right hand corner on the status bar in Wireshark it says profile default. I'm going to right mouse click on that column there on the bottom and say new and I'm going to name this profile DTN example and I'll say okay. Now Wireshark takes me back to the default settings for profiles and this font is way too small. There's no way I'll be able to see that. So I'm going to zoom in here using the enlarge button on the main toolbar until I get to a font size that I like. Now with all of my profiles I always add one special column. I like to have it up with every all the work that I do analyzing traffic and that column is one that will tell me the conversation numbers in the trace file. Wireshark numbers all the UDP conversations and it numbers all the TCP conversations. It starts numbering each of them at zero and they are exclusive of each other. I'm going to go into the very first packet in here and inside the UDP header there is a field called the stream index field and I want to add this as a column. To add a field as a column you simply right mouse click on that field and say apply as column. I'm going to right mouse click on that column heading and choose to align center for the contents of that column. Now we've started creating this great column but we're not quite finished yet because our TCP traffic is not showing up with a stream index number. We've only told Wireshark to add a stream index column for UDP. So I'm going to right mouse click on that column header and I'm going to choose to edit the column. And I can see right here that the field that it's based on is UDP dot stream and I'm going to add on to this to say or TCP dot stream. It doesn't matter if you do TCP stream or UDP stream or the or this direction doesn't matter either way that will work and I'm going to say okay. There we go. Now as conversations are intertwined it's easier for me to see which conversation I'm currently working in because I have the conversation number on the left hand side. So the next thing I want to do is I want to pull out the most active conversations in this trace file. I'm going to go up to statistics and conversations and I'm interested in the most active conversations based on the TCP layer. I'm going to sort based on the byte count from high to low and there I can see I have two conversations of interest here. These top two are what I want to look at. That's data flowing. So I'm going to right mouse click on the very first line here which is traffic between dot three and dot one. I'm going to right mouse click and prepare a filter based on the selected value going in both ways and then I'm going to go to the second line. I'm going to right mouse click, prepare a filter and this time I'm going to say or selected going in both directions. Wireshark builds the filter for me in the background and I can see exactly what this filter is based on, the IP addresses that it's based on and I'll go ahead and I'll just apply that filter now. So I have two conversations, the top two conversations showing in this trace file. I'm going to go to file and I'm going to save this as a separate trace file now, just these two conversations. I'll go to file, export specified packets and I'm going to call this DTN example. Now I'm going to open up that trace file called DTN example because by default Wireshark only saves the filtered packets. So here we go. Now we have some keepalive segments. Let's take a look down in the packet details window. Here we can see we have an ethernet header, an IP header, a TCP header and then after the TCP header we have the DTN TCP convergence layer protocol or TCP CL. It has its own header and for keepalives all we have is this single little field here saying that it is a keepalive. I want my keepalives to kind of melt into the background here. So I'm going to set up a coloring rule to change the way these show up in the packet list pane so they kind of melt away. I also don't need my capture filter anymore. So in the detail window I'm going to right mouse click on this keepalive packet and I'm going to colorize this with a filter and create a new coloring rule. There's the syntax put in there for this coloring rule and I'm just going to call it TCP CL keepalive. On the bottom of this coloring rules window I'm going to click the background button and I'm going to change the background color to sort of a kind of a washed out grayish color let's say. I'll click okay and okay. Now those keepalives have their own background color of this gray showing up. The next thing I want to do is I want to look for anywhere where it says bundle protocol and I should expand the protocol column so you can see what's marked as TCP CL. Frame number 14 shows up and in the info column it says bundle TCP CL segment. TCP segment of a reassembled protocol data unit. Wireshark's TCP reassembly function is on and we'll talk about how that affects the view in just a little bit. But if we look inside of frame 14 I'm going to move this up. What we can see is we can see that we have the TCP header and then right after that Wireshark is telling us that three different segments have been reassembled to create this bundle segment. Let's stop for a moment and let me show you how bundles relate to bundle segments which relates to TCP segments. The bundle protocol is essentially an application and you would have some other application that uses it. Let's say you wanted to do FTP across the galaxy. You could do that. You would type in your FTP commands but that command would go through the bundle protocol to transfer data. We would have a bundle here of data and bundles need to be transferred around. It could be scientific information. It could be video. It could be pictures of the surface of a planet or something like that. It doesn't matter. You have this big bundle of data and the bundle protocol is a store and forward protocol. Again it's covered in RFC 5050 if you want to go look up some information about this. But when a bundle of data is going to a target system it can be split up into bundle segments and that is what we see in this trace file. In this trace file the bundle that is being transferred from the first host to the relay has split the bundle up into four different segments. When we look at it on the cabling system it's really strange because we're so used to an application sending down a certain amount of data and then the TCP segments go all the way to the end of the data and stop. That's not the way it's done with the bundle protocol. A TCP segment may have some data from bundle segment A and it may have some data from bundle segment B inside of it. So you can see that if this first bundle segment is going across the network it's got a TCP segment another TCP segment and then part of the third TCP segment is part of segment A and then bundle segment B goes out but part of bundle segment B is sitting in the third TCP segment here and then we have a TCP segment devoted to bundle segment B another one and then we only needed part of another TCP segment but why stop the TCP segment and create a new one? Nope. We will have bundle segment C and it starts in the middle of a TCP segment. Literally you will see a header inside of this segment right here indicating that this new bundle is coming up. Same thing with the final bundle segment. There will be a header right at the beginning of this bundle segment saying that this is the start of a new set. So let's go take a look at these bundle segments as they show up delivered by TCP segments. So in the info column we see on frame number 14 it says bundle TCP CL segment and when we click on it we have an indication here of which packets were required to put together this first bundle segment. Frame number 11 frame 13 and frame 14 and the numbers in parentheses are how much data fits into this bundle segment. Now we can also see below this this is the TCP convergence header and unlike the TCP or the TCP CL keep alive there are more fields there are a total of four fields in this TCP convergence header. So we have the packet type field so this is data then we have this is indented so don't get stuck on this these are not new fields this is the summary line for these two below. There is one bit that would indicate if this is the start of the entire bundle and there's another bit that indicates if this would be the last packet of the entire bundle and then we have a line that tells us what that how I should say how large that TCP bundle segment is that is a bundle segment length. So let's do some customization of Wireshark based on these fields. Number one I want to take the packet type field and I'm going to right mouse click on this and apply this as a column there we go it's easy now to see the difference between keep lives there and where data packets are and then I also want to do the same thing for segment contains start of bundle I'm going to right mouse click here and this is the start of bundle packet so I'm going to apply this as a column and we can see that it's true I'm going to center align that and then this next field segment contains end of bundle I'm going to add that as column as well and I'll center align that now it's pretty easy to look through the trace file and see which packets are the start of the bundle and then farther on we'll be able to see which packets are the end of the bundle that's the end of the entire bundle not the bundle set or bundle segment but the bundle itself to make it even easier to detect these I'm going to set up two coloring rules I'm going to set up one coloring rule that turns all packets that are the start of the bundle a green color and then the end of the bundle red so in frame number 14 I'm going to right mouse click on this line that says segment contains start of bundle and I'm going to choose colorize with filter new coloring rule and I it's already set to a one because this is the start so I'm going to just name this start of bundle and then for the background I'm going to choose sort of a lime green ish now by setting that coloring up it's very easy for me to detect where the start of the bundles are in the trace file three of the packets should have matched that here's another thing we can do we can right mouse click on that field and just simply prepare a filter based on the selected value that just puts that filter to detect the start of bundle packets up in my display filter area and the far right hand side of the display filter area there's a little plus there I'm going to click that plus and I'm going to turn this into a button I'm going to give the button a label which is going to be s dash bundle that to me means start of bundle I'll say okay now I have a button when I click on it any packets that have the start of bundle bit set to a one will show up let me clear out the filter that the button just applied I want to do to do the same thing with the end of bundle I want to give it a color I'm going to give it a vibrant red and then I'll make a button so I can easily detect the end of bundle and just show those packets now this packet has the end of bundle bit set to a zero I'm going to change that to a one when I do my coloring rule I'm going to change that to a one when I do my display filter button so I'm going to right mouse click on this packet prepare colorize with a filter new coloring rule name it end of bundle and I'm going to give it a background color of this vibrant red I'll say okay okay so now it's very easy oh I forgot to change the number well it's good for you to see how to edit coloring rules to edit a coloring rule we go to view coloring rules and I wanted to change this to a one at the end there we go all right so now we can see there's the start of a bundle there's the end of a bundle there's a start of a bundle and there's the end of a bundle right here the first start of bundle we see going from 10.0.0.1 to 10.0.0.3 so the first thing we see in here is we see a bundle being transferred from .1 to .3 in bundle segments after that bundle is done right there then down on frame 37 we see another bundle starting and this bundle is from .3 to .4 this is the first bundle being forwarded on by .3 so it's being relayed on and then we see the end of that bundle after it's been relayed and the very last packet that we see here from .3 going back to .1 it's a little strange it's its own bundle we can see that the start of bundle is set at true and the end of bundle is set at true first of all I want to pop up a button up here for end of end of bundle well this I'll use this packet since it has the end of bundle bit set on I'm going to go inside the TCP convergence layer here right mouse click just going to prepare it as a filter based on the selected value there it is that's what I want to build the button on so I'm going to click plus and give it a name e bundle that means end of bundle to me so now if I want to see the end of bundle packets only I can click on the second button I want to see the start I can click on the first button I'm going to go ahead and clear this out now you'll notice that after this bundle has been relayed from three to four there's this packet the strange packet here where it has the start and end of bundle bits set on that means it's its own little bundle and this is actually a reporting packet so let's go inside of it and take a look let me bring up this let's see I'm going to bring this sort of up so we see it up on top and it is frame 49 we're interested in and when we look inside of frame number 49 we see the TCP convergence layer indicating it's the start of a bundle and the end of a bundle also so we're obviously not transferring a bunch of data here and then we'll see the primary bundle header and if we look a little bit farther in here we will see a payload header and beyond this we have the administrative record so this is indicating right here that this is a bundle status report that's the purpose of this packet I don't want this packet to be colored red just because it hit the end of bundle coloring I want this packet to have its own coloring so I'm going to right mouse click on the line that says administrative record type bundle status report and I'm going to choose to colorize this with a filter make a new coloring rule there's that line admin record type one and I'm just going to say that this is the admin report I'm going to turn the background yellow for this one say okay and now there we go this is the admin report and that admin report is being sent from dot three to dot one to say that I successfully delivered the bundle on for you so now let's go up and just take a look at some of the packets in here and how this how this works in frame number 14 wire shark says this is a bundle segment and sure enough if we look inside we can see the data packets that were required to make up this bundle segment packet 11 packet 13 a packet 14 and we can see the amount of data in each of those segments to make up in each of those TCP segments to make up this bundle segment and then when we look down at frame number 18 again on the right hand side it says bundle TCP CL segment and if we look inside of that frame we can see which TCP segments were required to make up this bundle segment and there's the weird one right there so some of the data that's in packet number 14 is part of bundle segment a whereas some of the data in packet 14 is part of bundle segment b the second bundle segment that's very interesting it's a bit of a different protocol and if we keep looking down here and frame number 26 frame number 26 is listed here as bundle TCP CL segment and if we look inside of there we can see oh let's see 14 I think I did that one before let's clear that out and let's go beyond that to the next bundle segment oh maybe I didn't I don't remember so I'm clicking on frame number 26 and in frame 26 oh it just hadn't click I didn't click on frame 26 before it was still selecting frame number 18 so now I'm on frame number 26 that says some of its data is in frame number 18 some of it is in 23 24 and 26 and then the last bundle segment is actually the one that finishes up the whole bundle so frame number 32 we can see its data and if we look down here we can see exactly which frames were required which TCP segments were required to get this bundle segment across it is pretty it can be pretty confusing to look at this because we have bundle segments and then we have TCP segments and they don't necessarily align along the way here we had some acts showing up so here we have the first bundle segment up here and then we have an act down here on frame number 20 this frame number 20 act that we see it is acknowledging receipt of this bundle segment this act down here on frame 27 is going to be acknowledging this bundle segment the act counts up so if I look at frame 20 I see an acknowledgement saying act length 4096 that was how much data was in the first bundle segment I go to the next act and it says now I'm acting up to 8192 bytes because it's now acknowledging the second bundle segment we'll see the next act coming up right here this act is acknowledging the third bundle segment so this guy is acknowledging this bundle segment which of course includes those packets and we can see that it's counted up to 12,288 and then we have the last act here which is counting up also the very last bundle segment it can be sort of confusing to see what's happening when especially when we have wire sharks reassembly feature built into it but what I did is I made a little tcp spreadsheet that goes through what's happening here we have bundle segment one or a bundle segment B bundle segment C bundle segment D there and these are the frames required and the amount of data in each of those frames and we add the data up in the bundle segment we subtract three for the tcp convergence layer overhead and that leaves us with the actual segment of data the amount of data in there same thing here on the second one we it required four packets to get this across subtract the tcp cl overhead and we're at 4096 here another 4096 bundle segment and then the last one isn't quite as long so I'll bring that back in in a moment when we talk about the bundle header itself so all of that was the bundle being transferred from 10.0.0.1 to 10.0.0.3 and then all of a sudden we see 10.0.0.3 transferring this transferring this data over to 10.0.0.4 and the same thing we have data data data data interestingly enough we have some acts that show up later but for something else so when we look at this let's let's reassemble what is being transferred across this network as this bundle is being relayed we can go into any one of the stream one packets and just right mouse click on the frame in the packet list pane and select follow tcp stream this is the data that is being transferred by this bundle at the top of this bundle you have these at signs and those are keepalives so when you click on those you can see you can click and that wire shark will take you to the keepalive packets in the background what is following that immediately the next three bytes is actually the tcp convergence layer for the very first bundle after that we have a bundle header and after that this is all the bundle header and then after that we have the payload header so when we look at our segments going across we have a bundle header that is applied only on the first bundle segment every single one of these bundle segments though starts with a tcp convergence layer header that's how we know it's the beginning of a bundle segment the very first bundle will be followed by a bundle header and then it will be followed by a payload header so these are the header structures that you would see in something like this we need to have that tcp cl header in there because that provides us with the interface between tcp and the bundle protocol it's kind of the shim between the two of them in this slide i'm showing you the amount of data that is carried in each one of these tcp segments and when we add that those up these are the payload values and when you look at the x we just count up from 4096 then we count up from there until we get to our final value let me just finish up by taking you into the bundle header for a moment we're going to go all the way down here to let's pull frame number 32 this is the last frame of the bundle after it has been forwarded to oh wait no that's not the one i want i want to go up to the first hang on i've got a filter on there no wonder so let's go let's go to it doesn't matter which one of the red packets we go to they'll basically have this very similar information in them i'm going to go to this frame 46 let's say that is the final packet of the bundle after it's been forwarded to 10.0.0.4 and let's go into the bundle header and let me bring the bundle header up in that top window there we go there are some strange things about the bundle header here like for example one of the big things that catches people is that this bundle header length field does not include the whole entire bundle header it includes only the fields that follow the bundle header length field so the bundle header is actually 49 bytes and then the payload header is another four bytes so this packet is telling me the last packet of each of the bundle segments and then i can see down here this is the amount of payload now this is different than the final act so if i come up here and let me just show you what i'm talking about here this act right here that we saw this act says that the amount of payload is 15,272 bytes sure enough that's what it is if we add up all of the payload from each of the bundle segments but when we look inside of a bundle header to see how much payload it thinks has crossed the network it's giving us a different value it's giving us 15,219 and the way it gets there is we have to subtract out the 49 bytes from the bundle of the bundle header plus the four bytes of the payload header we got to get rid of 53 bytes from the extra payload headers and bundle header at the front so that's how we get to that particular number so i've shown you how we can add columns i've shown you how we can add buttons into wireshark and i've shown you how we can add coloring rules into wireshark to make analyzing the bundle protocol and the tcp convergence layer protocol a little bit easier